Cookie consent
Cookie consent platforms collect and store user consent signals for websites — the records that prove GDPR and ePrivacy compliance. For EU buyers, the critical criterion is where consent logs are hosted and whether the vendor itself is EU-owned. Top-rated EU options on EU Vetted include ConsentManager (Germany, 5/5), Didomi (France, 4/5), and Iubenda (Italy, 4/5).
Cookie consent platforms — formally Consent Management Platforms (CMPs) — are the technical and legal infrastructure that websites use to collect, record, and document user consent for cookies and similar tracking technologies. They present the cookie banner, capture the user's choice at a granular purpose level, maintain timestamped audit logs, and communicate the consent signal to downstream marketing, analytics, and personalisation scripts. Without a functioning CMP, placing any non-essential cookie on an EU visitor's device is a violation of the ePrivacy Directive and a potential GDPR breach.
For EU buyers, the consent log is itself personal data: it records a user's choices, linked to a browsing session, at a specific time. Where that log is stored and who controls the infrastructure matters for the same reasons it does for any other personal-data processor. A US-owned CMP operating on EU servers is still potentially reachable by the CLOUD Act if the parent company is US-incorporated. EU-owned operators such as ConsentManager (Germany, 5/5) and Didomi (France, 4/5) are not subject to that direct exposure. Cookiebot (Denmark, 3/5) and Usercentrics (Germany, 3/5) are both listed as EU-headquartered but carry US funding that affects their ownership-signal rating.
The listings below show each product's country of incorporation, ownership signal, and editorial compliance score on a 1–5 scale — sourced from published DPAs and corporate filings, not from paid placements. Use the compliance-score filter to shortlist the highest-rated options, or the ownership filter if your procurement rules require strictly EU-owned processors. The scale filter separates single-site tools from enterprise platforms with multi-domain management, A/B testing for banner designs, and jurisdiction-specific consent flows.
-
ConsentManagerVERIFIED SIGNALSJurisdiction
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
Transparency- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
German-owned CMP with own EU data centres (not hyperscaler); ISO 27001, IAB TCF v2 ID 31, 100K+ websites, from €23/mo.
OWNERSHIPWhere ultimate control over the operating company sits.
-
EU-owned This listing EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other Swiss, UK or another non-EU jurisdiction.
CLOUD ACT EXPOSUREHow exposed customer data is to US authorities under the CLOUD Act.
-
None This listing EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
DE · 0 sub-procs Open ↗ -
DidomiVERIFIED SIGNALSJurisdiction
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
Transparency- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
Paris-based enterprise CMP (founded 2017); ISO 27001, Google-certified CMP; clients include Volvo, Michelin, Yahoo.
OWNERSHIPWhere ultimate control over the operating company sits.
-
EU-owned This listing EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other Swiss, UK or another non-EU jurisdiction.
CLOUD ACT EXPOSUREHow exposed customer data is to US authorities under the CLOUD Act.
-
None EU operator, no US parent, no US sub-processors of note.
-
Minor This listing A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
FR · 0 sub-procs Open ↗ -
IubendaVERIFIED SIGNALSJurisdiction
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
Transparency- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
Italian privacy-compliance toolkit (Milan, est. 2010); 150K+ customers; subject to direction of Team.blue NV (Belgium).
OWNERSHIPWhere ultimate control over the operating company sits.
-
EU-owned This listing EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other Swiss, UK or another non-EU jurisdiction.
CLOUD ACT EXPOSUREHow exposed customer data is to US authorities under the CLOUD Act.
-
None EU operator, no US parent, no US sub-processors of note.
-
Minor This listing A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
0 sub-procs Open ↗ -
CookiebotVERIFIED SIGNALSJurisdiction
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
Transparency- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
Danish cookie consent (Cybot A/S, est. 2012); ISO 27001 + ISO 27701; acquired by Usercentrics 2022 (now Vista Equity-owned).
OWNERSHIPWhere ultimate control over the operating company sits.
-
EU-owned EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded This listing EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other Swiss, UK or another non-EU jurisdiction.
CLOUD ACT EXPOSUREHow exposed customer data is to US authorities under the CLOUD Act.
-
None EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material This listing US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
DK · 0 sub-procs Open ↗ -
UsercentricsVERIFIED SIGNALSJurisdiction
- EU / adequacy operator
- EU / adequacy hosting
- No US CLOUD Act exposure
Transparency- Third-party certification
- Open-source clients
- Public DPA
- Sub-processors disclosed
Munich-based CMP (founded 2017); 2.4M sites / 8.8B monthly consents; now Vista Equity Partners-owned alongside Cookiebot.
OWNERSHIPWhere ultimate control over the operating company sits.
-
EU-owned EU-incorporated and EU-controlled; no significant US ownership.
-
EU HQ, US-funded This listing EU-headquartered but US venture- or PE-controlled.
-
US-owned US-headquartered, or has a US parent company.
-
Other Swiss, UK or another non-EU jurisdiction.
CLOUD ACT EXPOSUREHow exposed customer data is to US authorities under the CLOUD Act.
-
None EU operator, no US parent, no US sub-processors of note.
-
Minor A transient US sub-processor (CDN, maps); data at rest stays in the EU.
-
Material This listing US parent, or a core sub-processor is a US-owned hyperscaler.
-
Direct The operator itself is US-incorporated.
DE · 0 sub-procs Open ↗
| Compare | Owner | CLOUD Act | Cert. | Sub-procs | ||||
|---|---|---|---|---|---|---|---|---|
|
ConsentManager
German-owned CMP with own EU data centres (not hyperscaler); ISO 27001, IAB TCF v2 ID 31, 100K+ websites, from €23/mo.
|
DE
Germany
|
OWNERSHIP
Where ultimate control over the operating company sits.
|
CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
|
ISO/IEC 27001
|
0 |
VERIFIED SIGNALS
Jurisdiction
Transparency
|
Open ↗ | |
|
Didomi
Paris-based enterprise CMP (founded 2017); ISO 27001, Google-certified CMP; clients include Volvo, Michelin, Yahoo.
|
PARIS · FR
France
|
OWNERSHIP
Where ultimate control over the operating company sits.
|
CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
|
ISO/IEC 27001
|
0 |
VERIFIED SIGNALS
Jurisdiction
Transparency
|
Open ↗ | |
|
Iubenda
Italian privacy-compliance toolkit (Milan, est. 2010); 150K+ customers; subject to direction of Team.blue NV (Belgium).
|
MILAN
Italy
|
OWNERSHIP
Where ultimate control over the operating company sits.
|
CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
|
ISO/IEC 27001
|
0 |
VERIFIED SIGNALS
Jurisdiction
Transparency
|
Open ↗ | |
|
Cookiebot
Danish cookie consent (Cybot A/S, est. 2012); ISO 27001 + ISO 27701; acquired by Usercentrics 2022 (now Vista Equity-owned).
|
COPENHAGEN · DK
Denmark
|
OWNERSHIP
Where ultimate control over the operating company sits.
|
CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
|
ISO/IEC 27001
ISO27701
|
0 |
VERIFIED SIGNALS
Jurisdiction
Transparency
|
Open ↗ | |
|
Usercentrics
Munich-based CMP (founded 2017); 2.4M sites / 8.8B monthly consents; now Vista Equity Partners-owned alongside Cookiebot.
|
MUNICH · DE
Germany
|
OWNERSHIP
Where ultimate control over the operating company sits.
|
CLOUD ACT EXPOSURE
How exposed customer data is to US authorities under the CLOUD Act.
|
ISO/IEC 27001
|
0 |
VERIFIED SIGNALS
Jurisdiction
Transparency
|
Open ↗ |